HEUR:Trojan-PSW.Script.Generic false positive

[CJS]

Hi there:

Users having Kapersky Internet Security are sending me that a web page is being blocked because a HEUR:Trojan-PSW.Script.Generic.

But requesting a report, I see "all green" and no viruses: https://opentip.kaspersky.com/https%3A%2F%2Fjusticio.es/?tab=web

I understand it's a false positive, but I would like to know how to remove this warning for Kapersky's users, since it's offering a false reputation of a page.

Thank you

 

[harlan4096]

Welcome to Kaspersky Community.

 

🤔 I have installed KES 12.6 and I can access  the site without any warning:

 

 

https://www.virustotal.com/gui/url/90e0fc9a529407c141889d2a1bb9355539904ed0d371c427f072cd9a6c38e417?nocache=1

[CJS]

Yes, I know ... but then, why some users are receiving that block message ?

It would be great to have more information in those screens, don't you think ? Something users can "click and send info to developers" and HELP webmasters.

From my point of view, it's not very ethical to "block" a page and not give more information to developers, or not provide a "easy to send" button for users that want to help webmasters to avoid that block.

Moreover when this block is a false positive.

IMHO !

[harlan4096]

Can You send a capture of the details of the detection, from K. Reports?

 

Also, the detection is .generic... so it is an "automatic detection" -> Heuristic:

 

https://threats.kaspersky.com/en/threat/Trojan-PSW.Script.Generic/

Also:

 

[Flood and Flood's wife]

Hi @harlan4096 & @CJS, 

Event: Malicious object detected
User type: Initiator
Application name: chrome.exe
Application path: C:\Program Files\Google\Chrome\Application
Component: Safe Browsing
Result description: Detected
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path: https://justicio.es
MD5 of an object: 15346BEED730927A1BD7FEE39BE9B648
Reason: Expert analysis
Databases release date: Yesterday, 15/10/2024 11:36:00 PM

Thank you🙏
Flood🐳+🐋

Edited Wednesday at 12:34 PM by Flood and Flood's wife
removed vt. already posted by H😅

[CJS]

43 minutes ago, harlan4096 said:

Can You send a capture of the details of the detection, from K. Reports?

Also, the detection is .generic... so it is an "automatic detection" -> Heuristic:

https://threats.kaspersky.com/en/threat/Trojan-PSW.Script.Generic/

 

 

I don't understand the "from K. Reports" ... I'm not a Kapersky user ... I have only what a Kapersky user sent me visiting this page.

And, although is "generic", it provoke a navigation stopper, therefore a non-deserve bad reputation.

[harlan4096]

I just reported the URL to K. analysts.

[harlan4096]

This is the reply of K analysts:

 

Quote

 

Hello,

We were unable to reproduce the detection.
Please update your antivirus bases.
If the problem persists, please send the screenshots showing both the filename and the verdict.

Best regards, Malware Analyst

 

 

[CJS]

I wish the file name were mentioned, that’s the point I’m trying to suggest … you can’t just put “the homepage URL” and say “there’s a virus” without providing more information, neither for your customers nor for the developers …

 

Anyway, I’m not trying to fight against your business model … I just don’t think this type of vague error report helps. You block the user, damage the reputation of the site, and all because of a false positive…

 

Anyway …

[CJS]

Other important point is that:

 - user receive a block window

 - webmasters go to your report analysis tool and it says everything is OK (https://opentip.kaspersky.com/https%3A%2F%2Fjusticio.es/?tab=web)

That does not help at all

[Berny]

@CJS

43 minutes ago, CJS said:

more information

Link https://justicio.es/contacto is pointing to mailto : justicio @ justicio.es (not an url)  🤔

[harlan4096]

3 minutes ago, Berny said:

@CJS

Link https://justicio.es/contacto is pointing to mailto : justicio @ justicio.es (not an url)  🤔

This is ok. just open an email client to send a msg.

[harlan4096]

I reported the @Flood and Flood's wifedetections details, still waiting.

 

Still I've just checked also the URL with FireFox + Kaspersky Premium 21.18a and still I can't get the detection 🤷‍♂️

[harlan4096]

I got a new reply, from a different analyst (I omitted his name in the reply, because personal reasons):

 

Quote

 

Hello,

We were unable to reproduce the detection.
If the problem persists, please send us the detected webpage as file.

Best regards, Malware Analyst

 

 

[Berny]

Also, according some second opinion tools the site is 'clean' which is confirmed  in the post from @harlan4096 above my post 👍

Two verdicts are only notifying a warning :

1. " Invalid URL in redirect error on  https : //justicio.es/contacto  "
2. " Can't fetch file pointed by your url  'https : //justicio.es/contacto  "

[CJS]

I really appreciate the efforts of some of you confirming the site is clean in your side.

But I can assure you that users don’t make up the screenshot with which I start this thread ;-)